From: Edward Agostinho (edward@ceg.co.za)
Date: Sun Nov 23 2003 - 19:02:26 GMT-3
Scott / Michael
Thanks for the explanations....The access-list was one that I just thought
out to bring the point of different subnet masks across.
I understand the principle now.
Michael
You mentioned that the answer needs to be at least a /24. Is that because
the largest subnet size is a /24? If there was a /16 in the access-list
would the answer need to be a /16?
Thanks again
Edward
----- Original Message -----
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
To: <ccielab@groupstudy.com>
Cc: "'Edward Agostinho'" <edward@ceg.co.za>; "'Jonathan V Hays'"
<jhays@jtan.com>
Sent: Sunday, November 23, 2003 10:09 PM
Subject: RE: Summarizing Access-lists
>
> It does matter. You can't summarize different masks together mainly
> because the final answer has to have the largest scope of any single
> statement that made that summary.
>
> I mean, if your networks were a 10.1.1.1/8 and a 10.2.1.1/30, you know
> that's no way to the subnets blend together, so just by looking the
> answer will be at least a /8 or maybe even a greater scope.
>
>
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 172.60.51.0 0.0.0.127
> > access-list 10 permit 121.15.120.0 0.0.0.31
> > access-list 10 permit 112.59.9.0 0.0.0.255
>
> In this example, the different masks are meant to throw you off. The
> answer has to be at least a /24
>
> So lets normalize the list,
>
> 133.6.11.0
> 135.16.171.0
> 172.60.51.0
> 121.15.120.0
> 112.59.9.0
>
> now using windows calc in decimal mode, lets do some octet equations.
>
>
> First will check the first octet for a common network. If there isn't a
> common network, then granddaddy of all summaries is the single line
> answer. 0.0.0.0/0
>
> 133&135&172&121&112=0, which means there's no common network for a one
> line answer, other than a default network.
>
> There's only 5 networks, so lets check pairs for common networks.
>
> 133&135 = 133, there's common network.
>
> Just checking against the others, 133&172=132, another common network.
>
> Note that we're using the result of the preceding common network check
> to check against the next network.
>
> Using 132&121=0; no good.
>
> Checking 132&112=0; also no good.
>
> Maybe 121&112 are common to each other. 121&112=112, which means we can
> have a two line solution. The first three networks, then the next two.
>
> BTW, after the fact we could use a different subnet now that we know we
> will have two lines. Remember we normalized on /24. Had both 121 and
> 112 been /27 we could have used /27 for them in the second statement.
> But in this case the largest scope for both network summary statements
> is still a /24.
>
>
>
> A summary is defined as the networks `and` together for the common
> network, then the values `or` together. Then take the two results and
> `xor` for the wildcard mask.
>
> You do one octet column at a time.
>
> 133.6.11.0
> 135.16.171.0
> 172.60.51.0
>
> (133&135&172) xor (133|135|172)
>
> answer 132, 132 xor 175
>
> answer network 132 wildcard 43
>
>
> Next octet,
>
> (6&16&60) xor (6|16|60)
>
> Network 0, 0 xor 62
>
> Answer network 0 wildcard 62
>
>
> Third octet
>
> (11&171&51) xor (11|171|51)
>
> Network 3, wildcard 184
>
>
> Putting the answers together,
>
> 132.0.3.0 43.62.184.255
>
> Applying the same treatment to
>
>
> 121.15.120.0
> 112.59.9.0
>
> results as
>
> 112.11.8.0 9.52.113.255
>
>
>
> My final answer
>
>
> access-list 10 permit 132.0.3.0 43.62.184.255
> access-list 10 permit 112.11.8.0 9.52.113.255
>
>
> Checking my answer with boson wildcard util.
>
>
>
>
> IP Address: 112.11.8.0
> Wildcard mask: 9.52.113.255
>
> First Octet Match(es)
> 112- 113
> 120- 121
>
>
> Second Octet Match(es)
> 11
> 15
> 27
> 31
> 43
> 47
> 59
> 63
>
>
> Third Octet Match(es)
> 8- 9
> 24- 25
> 40- 41
> 56- 57
> 72- 73
> 88- 89
> 104- 105
> 120- 121
>
>
> Fourth Octet Match(es)
> 0- 255
>
>
> IP Address: 132.0.3.0
> Wildcard mask: 43.62.184.255
>
> First Octet Match(es)
> 132- 135
> 140- 143
> 164- 167
> 172- 175
>
>
> Second Octet Match(es)
> 0
> 2
> 4
> 6
> 8
> 10
> 12
> 14
> 16
> 18
> 20
> 22
> 24
> 26
> 28
> 30
> 32
> 34
> 36
> 38
> 40
> 42
> 44
> 46
> 48
> 50
> 52
> 54
> 56
> 58
> 60
> 62
>
>
> Third Octet Match(es)
> 3
> 11
> 19
> 27
> 35
> 43
> 51
> 59
> 131
> 139
> 147
> 155
> 163
> 171
> 179
> 187
>
>
> Fourth Octet Match(es)
> 0- 255
>
>
> BTW, I have posted instructions for the decimal subnet method lately on
> Groupstudy, just search for my posts in the last few weeks.
>
>
> -----Original Message-----
> From: Jonathan V Hays [mailto:jhays@jtan.com]
> Sent: Sunday, November 23, 2003 10:24 AM
> To: 'Edward Agostinho'; ccielab@groupstudy.com
> Subject: RE: Summarizing Access-lists
>
> It doesn't matter. Everything is done at the bit level.
>
> -----Original Message-----
> From: Edward Agostinho [mailto:edward@ceg.co.za]
> Sent: Sunday, November 23, 2003 11:12 AM
> To: Jonathan V Hays; ccielab@groupstudy.com
> Subject: Re: Summarizing Access-lists
>
>
> Thanks Jonathan but it still doesn't answer my question or am I
> understanding it wrong?
>
> Brian's examples use common /24 subnets....my question is, what if they
> are
> not common /24 but mixtures of /24, /25, /27 masks. Or doesn't it
> matter?
>
> Edward
>
> ----- Original Message -----
> From: "Jonathan V Hays" <jhays@jtan.com>
> To: "'Edward Agostinho'" <edward@ceg.co.za>; <ccielab@groupstudy.com>
> Sent: Sunday, November 23, 2003 5:15 PM
> Subject: RE: Summarizing Access-lists
>
>
> > Check out this excellent post from Brian McGahan.
> >
> > http://www.groupstudy.com/archives/ccielab/200303/msg01685.html
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Edward Agostinho
> > Sent: Sunday, November 23, 2003 9:58 AM
> > To: ccielab@groupstudy.com
> > Subject: Summarizing Access-lists
> >
> >
> > Hi group
> >
> > How do we summarize access-lists with different subnet masks.
> >
> > Let's assume you are requested to summarize the following in the least
> > amount
> > of lines:
> >
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 172.60.51.0 0.0.0.127
> > access-list 10 permit 121.15.120.0 0.0.0.31
> > access-list 10 permit 112.59.9.0 0.0.0.255
> >
> > Do I attempt to summarize:
> >
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 172.60.51.0 0.0.0.127
> >
> > and
> >
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 112.59.9.0 0.0.0.255
> >
> > and leave
> >
> > access-list 10 permit 121.15.120.0 0.0.0.31
> >
> > or do I ignore the masks and do a normal AND and XOR with the network
> > portion
> > of the addresses?
> >
> > I know how to summarize them if they all use /24 as the examples given
> > by the
> > rest of the group but never seen one with different subnet masks?
> >
> > Thanks
> >
> > Edward
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:16 GMT-3